<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>OpenID Connect Prepare Authentication API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-oidc-prepare-authentication.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-oidc-prepare-authentication.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-oidc-prepare-authentication.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-oidc-prepare-authentication.html" rel="nofollow" target="_blank">../en/security-api-oidc-prepare-authentication.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">OpenID Connect Prepare Authentication API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-invalidate-token.html">« Invalidate token API</a>
</span>
<span class="next">
<a href="security-api-oidc-authenticate.html">OpenID Connect authenticate API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-oidc-prepare-authentication"></a>OpenID Connect Prepare Authentication API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Creates an oAuth 2.0 authentication request as a URL string based on the
configuration of the respective OpenID Connect authentication realm in Elasticsearch.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-prepare-authentication-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">POST /_security/oidc/prepare</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-prepare-authentication-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The response of this API is a URL pointing to the Authorization Endpoint of the
configured OpenID Connect Provider and can be used to redirect the browser of
the user in order to continue the authentication process.</p>
<p>Elasticsearch exposes all the necessary OpenID Connect related functionality via the
OpenID Connect APIs. These APIs are used internally by Kibana in order to provide
OpenID Connect based authentication, but can also be used by other, custom web
applications or other clients. See also
<a class="xref" href="security-api-oidc-authenticate.html" title="OpenID Connect authenticate API">OpenID Connect authenticate API</a>
and <a class="xref" href="security-api-oidc-logout.html" title="OpenID Connect logout API">OpenID Connect logout API</a>.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-prepare-authentication-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following parameters can be specified in the body of the request:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">realm</code>
</span>
</dt>
<dd>
  (Optional, string) The name of the OpenID Connect realm in Elasticsearch the configuration of which should
be used in order to generate the authentication request. Cannot be specified
when <code class="literal">iss</code> is specified. One of <code class="literal">realm</code>, <code class="literal">iss</code> is required.
</dd>
<dt>
<span class="term">
<code class="literal">state</code>
</span>
</dt>
<dd>
  (Optional, string) Value used to maintain state between the authentication request and the
response, typically used as a Cross-Site Request Forgery mitigation. If the
caller of the API doesn’t provide a value, Elasticsearch will generate one with
sufficient entropy itself and return it in the response.
</dd>
<dt>
<span class="term">
<code class="literal">nonce</code>
</span>
</dt>
<dd>
  (Optional, string) Value used to associate a Client session with an ID Token and to mitigate
replay attacks. If the caller of the API doesn’t provide a value, Elasticsearch will
generate one with sufficient entropy itself and return it in the response.
</dd>
<dt>
<span class="term">
<code class="literal">iss</code>
</span>
</dt>
<dd>
  (Optional, string) In the case of a 3rd Party initiated Single Sign On, this is the Issuer
Identifier for the OP that the RP is to send the Authentication Request to.
Cannot be specified when <code class="literal">realm</code> is specified. One of <code class="literal">realm</code>, <code class="literal">iss</code> is required.
</dd>
<dt>
<span class="term">
<code class="literal">login_hint</code>
</span>
</dt>
<dd>
  (Optional, string) In the case of a 3rd Party initiated Single Sign On, a string value to be
included in the authentication request, as the <code class="literal">login_hint</code> parameter. This
parameter is not valid when <code class="literal">realm</code> is specified
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-oidc-prepare-authentication-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/oidc-prepare-authentication-api.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following example generates an authentication request for the OpenID Connect
Realm <code class="literal">oidc1</code>:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oidc/prepare
{
  "realm" : "oidc1"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2124.console"></div>
<p>The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
the Authentication Request, as HTTP GET parameters:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&amp;response_type=id_token&amp;redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&amp;state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&amp;nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&amp;client_id=elasticsearch-rp",
  "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}</pre>
</div>
<p>The following example generates an authentication request for the OpenID Connect
Realm <code class="literal">oidc1</code>, where the values for the state and the nonce have been generated
by the client:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oidc/prepare
{
  "realm" : "oidc1",
  "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
  "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2125.console"></div>
<p>The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
the Authentication Request, as HTTP GET parameters:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "redirect" : "http://127.0.0.1:8080/c2id-login?scope=openid&amp;response_type=id_token&amp;redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&amp;state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO&amp;nonce=zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5&amp;client_id=elasticsearch-rp",
  "state" : "lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO",
  "nonce" : "zOBXLJGUooRrbLbQk5YCcyC8AXw3iloynvluYhZ5"
}</pre>
</div>
<p>The following example generates an authentication request for a 3rd party
initiated single sign on, specifying the issuer that should be used for matching
the appropriate OpenID Connect Authentication realm:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oidc/prepare
{
  "iss" : "http://127.0.0.1:8080",
  "login_hint": "this_is_an_opaque_string"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2126.console"></div>
<p>The following example output of the response contains the URI pointing to the Authorization Endpoint of the OpenID Connect Provider with all the parameters of
the Authentication Request, as HTTP GET parameters:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "redirect" : "http://127.0.0.1:8080/c2id-login?login_hint=this_is_an_opaque_string&amp;scope=openid&amp;response_type=id_token&amp;redirect_uri=https%3A%2F%2Fmy.fantastic.rp%2Fcb&amp;state=4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I&amp;nonce=WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM&amp;client_id=elasticsearch-rp",
  "state" : "4dbrihtIAt3wBTwo6DxK-vdk-sSyDBV8Yf0AjdkdT5I",
  "nonce" : "WaBPH0KqPVdG5HHdSxPRjfoZbXMCicm5v1OiAj0DUFM"
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-invalidate-token.html">« Invalidate token API</a>
</span>
<span class="next">
<a href="security-api-oidc-authenticate.html">OpenID Connect authenticate API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>